Home Cyber Crime One in five IceWarp mail servers still vulnerable to pre-pandemic security flaw

One in five IceWarp mail servers still vulnerable to pre-pandemic security flaw


John Leyden

09 September 2021 at 13:47 UTC

Up to date: 09 September 2021 at 14:10 UTC

Vendor agrees that XSS bug poses a grave danger, however warns ‘it will possibly’t pressure customers to improve’

One in five IceWarp mail servers still vulnerable to a XSS security flaw resolved more than a year ago

Tens of hundreds of IceWarp mail server programs stay susceptible to a hard internet safety vulnerability – even supposing the difficulty was patched final 12 months.

Lütfü Mert Ceylan, the 16-year-old Turkish safety researcher and bug hunter who found the vulnerability (CVE-2020-8512) again in January 2020, instructed The Every day Swig that multiple in 5 of IceWarp programs stay susceptible to the cross-site scripting (XSS) flaw.

“The vulnerability might be detected and exploited very simply” and “results in the leak of consumer info”, Ceylan warned.

You bought XSS

IceWarp is mail and collaboration server software program geared toward small to mid-range companies and as a substitute for providers reminiscent of Microsoft Alternate.

The XSS vulnerability in query was resolved in of IceWarp.

Earlier variations of the know-how are susceptible to a flaw which means an attacker can use an XSS loophole the /WebMail/ colour parameter to ship a malicious script to unsuspecting admins or customers.

Catch up on the latest cross-site scripting (XSS) news and analysis

Searches utilizing the Shodan IoT search engine and different instruments allowed Ceylan to estimate that 21% of programs are working earlier variations of the software program and are subsequently susceptible.

Getting the phrase out

In response to queries from The Every day Swig, the IceWarp improvement crew agreed with Ceylan’s prognosis of the issue, whereas reiterating that these affected are working unsupported variations of the know-how.

Antonin Pruki, CTO of Czech Republic-based IceWarp, stated the seller was encouraging prospects to improve however finally it can not pressure them to do an improve since IceWarp is put in on their very own {hardware} and is subsequently “absolutely beneath their management”.

He stated:

IceWarp 11.4.4 was launched in 2016 and we really obtained first report about this explicit vulnerability again in 2017.

It was already addressed again then, and our prospects have been knowledgeable through [the] normal channels. Furthermore, since that point there have been two new generations of the login display screen, which is now construct on high of fully completely different stack than was the case in 2016.

So even on the time when CVE-2020-8512 was revealed, the issue had been addressed few years in the past. Final however not least, the model 11.4.4 just isn’t formally supported any extra.

“There’s an apparent drawback nonetheless that many purchasers nonetheless run on model 11.4 and older,” Pruki warned.

“We additionally tried to succeed in all prospects once more a 12 months in the past and strongly really helpful them to think about an improve,” Pruki concluded.

RECOMMENTED WordPress security: information leak flaw addressed in Ninja Forms

Reacting to those feedback, Ceylan instructed The Every day Swig that there could also be sensible causes as to why some customers have delayed upgrading their programs, other than common tardiness.

It’s true that IceWarp creates new login constructions, however once I reviewed the CVEs reported by different researchers up to now, I observed that the vulnerabilities discovered within the first subversions of IceWarp 11 weren’t mounted with safety patches within the subsequent subversions.

In different phrases, no motion has been taken concerning the vulnerabilities detected in subversions (11.0, 11.1, 11.2, 11.3, and 11.4) till the discharge and outdated date of IceWarp 11.

These safety patches have been largely outdated to IceWarp 11 and added later when new variations (IceWarp 12.x and so forth) began to return out. That is why virtually no firm has applied this patch, leaving tens of hundreds of internet sites doubtlessly susceptible.

IceWarp disputed this interpretation and stated its launch cycle was extra aligned with that of Google Chrome or Adobe Acrobat Reader than Microsoft Alternate.

Pruki concluded: “I absolutely agree with Lütfü’s [Ceylan] findings, i.e the variety of prospects that run an outdated model of IceWarp that has this vulnerability (and likewise couple different vulnerabilities that have been found and addressed later) continues to be too excessive.”

MORE SECURITY RESEARCH Machine learning technique detects phishing sites based on markup visualization

Source link